Angular授权
[英]Angular authorization
问题描述
I have built an application which has user authentication and authorization.
我构建了一个具有用户身份验证和授权的应用程序。 So if user is authenticated it will be redirected to a route where user can post the form data .因此,如果用户通过身份验证,它将被重定向到用户可以发布form data的路由。 Here while posting the data let's say name & hobbies a userID is generated by backend.在这里发布数据时,让我们说name和hobbies ,一个userID是由后端生成的。
Below is the response以下是回应
{
posts:[
name: "manoj"
hobbies: "Reading books"
creator: "4543300vdvdvE33"
]
}
Now I'm handling my posts view route which is iterated using *ngFor= 'let post of posts' .现在我正在处理我的帖子视图路由,该路由使用*ngFor= 'let post of posts'进行迭代。 Here i'm using *ngIf= userIsAuthenticated && userId= post.created to show the posts only if theuser is authenticated and if he is the creator of the post.在这里,我使用*ngIf= userIsAuthenticated && userId= post.created仅当用户经过身份验证并且他是帖子的创建者时才显示帖子。
Is there any better way to handle this situation directly through login, like Only A posts should be visible to A or this should be directly handled in the backend to get the respective posts after login?有没有更好的方法直接通过登录来处理这种情况,比如只有A帖子对A可见,或者这应该直接在后端处理以在登录后获取相应的帖子?
2 个解决方案
解决方案1
0 2020-05-18 07:25:49
For security reasons, you should definitely only query posts by the user and return his posts.出于安全原因,您绝对应该只查询用户的帖子并返回他的帖子。 If you don't filter it first, not only do you run the risk of overloading your API with an outrageous amount of return data, but also you expose the posts of other users to the client in case the user is tech savvy and checking your API response via client debug tools.如果你不先过滤它,你不仅会冒着让你的 API 超载的风险,返回数据量大得离谱,而且你还会把其他用户的帖子暴露给客户端,以防用户精通技术并检查你的API 通过客户端调试工具响应。
解决方案2
0 2020-05-18 09:35:44
yes he is right, you need an api in the backend that it takes a userId parameter and it will get you all posts related to that userId.是的,他是对的,您在后端需要一个 api,它需要一个 userId 参数,它将为您提供与该 userId 相关的所有帖子。 then in the intended page you should call it.然后在预期的页面中你应该调用它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.